If it is a harvesting or dictionary attack, your best bet is an automated way to temporarily block connections from an IP after x amount of invalid recipients or tarpit the IP after x amount of invalid recipients. Some one else has posted a couple of links of how to do this on Exchange, but IMHO you want to do this before your Exchange server unless you a small shop and do not have other resources. My clients Exchange servers sit behind my e-mail server which is acting as a gateway for them which that server sits behind 3 MS SMTP servers with ORF running. ORF is actually a very good product that is growing but does not get mentioned much. It can install on any server running IIS as it works directly with the IIS SMTP service. A harvest attack is where the attacking server(s) will "send" an e-mail to every possible address at your domain from a through zzzzzzzzzzz (you get the idea) to find out which are valid addresses. The proper way to fight this is either block the IP after so many invalid recipients or to tarpit which means waiting 30 to 60 seconds to respond with a 5.1.x indicating an invalid address. John T eServices For You -----Original Message----- From: Rich Gallo [mailto:RGallo@xxxxxxxxxxxxxxxxx] Sent: Thursday, January 05, 2006 11:55 AM To: [ExchangeList] Subject: [exchangelist] RE: Some Advice Please Sensitivity: Private http://www.MSExchange.org/ Hey John T. Thanks so much for the info. Just a little more specific - can you point me in the right direction to stop the harvest attack?? I am gonna start Googling that now. Thanks john! Rich ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: johnlist@xxxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Report abuse to info@xxxxxxxxxxxxxx -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.13/221 - Release Date: 1/4/2006 -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.13/221 - Release Date: 1/4/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.13/221 - Release Date: 1/4/2006